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Abstract 

We show that verification of object-oriented programs by means of the asser- 
tional method can be achieved in a simple way by exploiting a syntax-directed 
transformation from object-oriented programs to recursive programs. This 
transformation suggests natural proofs rules and its correctness helps us to es- 
tablish soundness and relative completeness of the proposed proof system. One 
of the difficulties is how to properly deal in the assertion language with the 
instance variables and aliasing. The discussed programming language supports 
arrays, instance variables, failures and recursive methods with parameters. We 
also explain how the transformational approach can be extended to deal with 
other features of object-oriented programming, like classes, inheritance, subtyp- 
ing and dynamic binding. 



1. Introduction 

1.1. Background and motivation 

Ever since its introduction in [l4| the assertional method has been one of 
the main approaches to program verification. Initially proposed for the modest 
class of while programs, it has been extended to several more realistic classes 
of programs, including recursive programs (starting with (lBj). programs with 
nest ed p rocedure declarations (see [HI), parallel programs (starting with (23| 
and [24j| ) . and distributed programs based on synchronous communication (see 
Q). At the same time research on the theoretical underpinnings of the pro- 
posed proof systems resulted in the introduction in [l(| of the notion of relative 
completeness and in the identification of the inherent incompleteness for a com- 
prehensive ALGOL- like programming language (see Q). 
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However, (relative) completeness of proof systems proposed for current object- 
oriented programming languages (see the related work section below) remained 
largely beyond reach because of the many intricate and complex features of lan- 
guages like Java. In this paper we present a transformational approach to the 
formal justification of proof systems for object-oriented programming languages. 
We focus on the following main characteristics of objects: 

• objects possess (and encapsulate) their own (so-called instance) variables, 
and 

• objects interact via method calls. 

The execution of a method call involves a temporary transfer of control from 
the local state of the caller object to that of the called object (also referred to 
by callee) . Upon termination of the method call the control returns to the local 
state of the caller. The method calls are the only way to transfer control from 
one object to another. We illustrate our approach by a syntax-directed transfor- 
mation of the considered object-oriented programs to recursive programs. This 
transformation naturally suggests the corresponding proof rules. The main re- 
sult of this paper is that the transformation preserves (relative) completeness. 

To make this approach work a number of subtleties need to be taken care 
of. To start with, the 'base' language needs to be appropriately chosen. More 
precisely, to properly deal with the problem of avoiding methods calls on the 
null object we need a failure statement. In turn, to deal in a simple way with 
the call-by-value parameter mechanism we use parallel assignment and block 
statement. Further, to take care of the local variables of objects at the level of 
assertions we need to appropriately define the assertion language and deal with 
the substitution and aliasing. 

We introduced this approach to the verification of object-oriented programs 
in our recent book Q where we proved soundness. The aim of this paper is to 
provide a systematic and self-contained presentation which focuses on (relative) 
completeness and to explain how to extend this approach to other features of 
object-oriented programming. Readers interested in example correctness proofs 
may consult 0, pages 226-237]. 

1.2. Related work 

The origins of the proof theory for recursive method calls presented here 
can be traced back to [l2j. However, in |l2j the transformational approach to 
soundness and relational completeness was absent and failures were not dealt 
with. In (25l | an extension to the typical object-oriented features of inheritance 
and subtyping is described. There is a large literature on assertional proof meth- 
ods for object-oriented languages, notably for Java. For example, [17J discusses 
a weakest precondition calculus for Java programs with annotations in the Java 
Modeling Language (JML). JML can be used to specify Java classes and inter- 
faces by adding annotations to Java source files. An overview of its tools and 
applications is provided in Q. In [l6| a Hoare logic for Java with abnormal 
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termination caused by failures is described. However, this logic involves a ma- 
jor extension of the traditional Hoare logic to deal with failures for which the 
transformational approach breaks down. 

Object-oriented programs in general give rise to dynamically evolving pointer 
structures as they occur in programming languages like Pascal. This leads to the 
problem of aliasing. There is a large literature on logics dealing with aliasing. 
One of the early approaches, focusing on the linked data structures, is described 
in 21]. A more recent approach is that of separation logic described in 28|. In 
[l[ a Hoare logic for object-oriented programs is introduced based on an explicit 
representation of the global store in the assertion language. In [f| restrictions on 
aliasing are introduced to ensure encapsulation of classes in an object-oriented 
programming language with pointers and subtyping. 

Recent work on assertional methods for object-oriented programming lan- 
guages (see for example focuses on object invariants and a corresponding 
methodology for modular verification. In [22j also a class of invariants is intro- 
duced which support modular reasoning about complex object structures. 

Formal justification of proof systems for object-oriented programming lan- 
guages have been restricted to soundness (see for example [3(| and [H|). Be- 
cause of the many intricate and complex features of current object-oriented 
programming languages (relative) completeness remained largely beyond reach. 
Interestingly, in the above-mentioned [l[ the use of the global store model is 
identified as a potential source of incompleteness. 



1.3. Technical contributions 

The proof system for object-oriented programs presented in our paper is 
based on an assertion language comparable to JML. This allows for the specifi- 
cation of dynamically evolving object structures at an abstraction level which co- 
incides with that of the programming language: in this paper the only operations 
on objects we allow are testing for equality and dereferencing. Our transforma- 
tion of the considered object-oriented programs to recursive programs preserves 
this abstraction level. As a consequence we have to adapt existing completeness 
proofs to recursive programs that use variables ranging over abstract data types, 
e.g., the type of objects. 

In this paper we focus on strong partial correctness which requires absence of 
failures. Note that absence of failures is naturally expressed by a corresponding 
condition on the initial state, that is, by a corresponding notion of weakest 
precondition. Similarly, total correctness of recursive programs is also naturally 
expressed by weakest preconditions, see Q. 

To ex pre ss weakest preconditions over abstract data types in an assertion 
language [29( use a coding technique that requires a weak second-order language. 
In contrast, we introduce here a new state-based coding technique that allows 
us to express weakest preconditions over abstract data types in the presence of 
infinite arrays in a first- order assertion language. 

Further, we generalize the original completeness proof of [l3| for the partial 
correctness of recursive programs to weakest preconditions in order to deal with 
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strong partial correctness. The completeness proof of [13| is based on the ex- 
pression of the graph of a procedure call in terms of its strongest postcondition 
of a precondition which "freezes" the initial state by some fresh variables. If 
we use instead weakest preconditions to express the graph of a procedure call 
these freeze variables are used to denote the final state. Because of possible 
divergence or failures however we cannot eliminate in the precondition these 
freeze variables by existential quantification. As such the completeness proof of 



13] breaks down. We show in this paper how to restore completeness by the 
introduction of weakest preconditions which explicitly model divergence and 
failures. 

1.4- Plan of the paper 

In the next section we introduce a kernel language that consists of while 
programs augmented with the parallel assignment, the failure statement and 
the block statement, and describe its operational semantics. In Section [3] we 
extend this kernel language to a small object-oriented language that forms the 
subject of our considerations. In Section U we define an operational semantics 
of this language. 

Then, in Section[5]we introduce a class of recursive programs, define a trans- 
formation of the object-oriented programs to recursive programs, and prove 
correctness of this transformation in an appropriate sense. 

Next, in Section [S] we introduce the assertion language for object-oriented 
programs and extend the substitution operation to instance variables. In Sec- 
tion [7] we introduce the proof system that allows us to prove correctness of the 
considered object-oriented programs. Subsequently, in Section[8]we explain how 
soundness and relative completeness of this system can be established by reduc- 
ing it to the analysis of a corresponding proof system for recursive procedures. 

In Section [9] we prove relative completeness of our proof system for object- 
oriented programs on the basis of the transformation, addressing the issues de- 
scribed above. Finally, in Section [TU1 explain how this approach can be extended 
to deal with other features of object-oriented programming, like classes, inheri- 
tance and subtyping, and with total correctness. In Appendix |Appcndix B 



list the rules defining the semantics of the kernel language, the introduced proof 
rules and the introduced proof systems. 



2. Preliminaries 

2.1. A kernel language 

We assume at least two basic types, integer and Boolean, and for each 
n > 1 the higher types 2\ x . . . x T n — > T, where T\ 1 . . ., T„, T are basic types. 
Ti,...,T n are called argument types and T the value type. Simple variables 
are of a basic type and array variables of a higher type. By Var we denote 
the set of variable declarations. Usually, we omit the typing information and 
identify a variable declaration with the variable name. Out of typed variables 
and typed constants typed expressions are constructed. To deal with aliasing we 
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use conditional expressions of the form if B then t\ else t<i fi. A subscripted 
variable is an expression a[ti, . . ., t n ] for a suitably typed array variable a. 

In this section we introduce the following small kernel programming lan- 
guage: 

S ::= skip \ u:=t\x:=i\Si; S 2 | if B then Si else 5 2 fi | if B Si fi | 
while £? do Si od | begin local x :— i; Si end 

where S stands for a typical statement or program, u for a simple or subscripted 
variable, t for an expression (of the same type as u) , and B for a Boolean expres- 
sion. Further, x := t is a parallel assignment, with x = a;i, . . . , x n a non-empty 
sequence of distinct simple variables and t = t\ , . . . , t n a sequence of expressions 
of the corresponding types. The parallel assignment plays a crucial role in our 
modeling of the parameter passing. The failure statement if B — > Si fi is used to 
check the condition B during the execution. It raises a failure if B is not satisfied. 
Thus it differs from the abbreviation if B then S fi = if B then S else skip fi. 
To distinguish between local and global variables, we use a block statement 
begin local x := t; Si end, where a; is a non-empty sequence of simple distinct 
local variables, all of which are explicitly initialized by means of a parallel as- 
signment x := t. We assume that the sets of local and global variables are 
disjoint. 

For an expression t, we denote by var(t) the set of all simple and array 
variables in t. Analogously, for a program 5*, we denote by var(S) the set 
of all simple and array variables in S, and by change(S) the set of all global 
simple and array variables that can be modified by S, i.e., the set of variables 
that appear on the left-hand side of an assignment in S outside of a subscript 
position of a subscripted variable. 

2.2. ... and its semantics 

We define the operational semantics of the kernel language in a standard 
way, using a structural operational semantics in the sense of Plotkin [271. A 
configuration C is a pair < S, a > consisting of a statement S that is to be 
executed and a state a, i.e., a mapping that assigns to each variable (including 
local variables) of type T a value drawn from the set T>t denoted by type T. 

Given a state a and an expression t, we define in a standard way its semantics 
o-(t), the value assigned to it by a. Further, given a sequence of expressions t 
(in particular, a sequence of variables x), we denote by a(t) the corresponding 
sequence of values assigned to t by a. 

We denote the set of states by S. Unless stated otherwise, the letters a, t 
range over S. We use a special state fail to represent an abnormal situation in 
a program execution, a failure in an execution of a program. We stipulate that 
fail ^ S. Sometimes to avoid confusion we refer to the elements of S as proper 
states. 

We use the notion of a state update of a proper state tr, written as a[u := d], 
where u is a simple or subscripted variable of type T and d is an element of type 
T . If u is a simple variable then o~[u :— d] is the state that agrees with a except 
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for u where its value is d. If u is a subscripted variable, say u = a\t\, . . ., t n ], then 
a[u := d] is the state that agrees with a except for the variable a where the value 
a(a)(a(ti), . . ., a(t n )) is changed to d. For the special state we define the update 
by fail[ti := d] = fail. Further, the parallel update a[u\, . . . , u n := di, . . . , d n ] 
of distinct simple variables is the state that agrees with a except for Ui where 
its value is di, for i £ {1, . . . , n}. 

A transition is a step C — > C between configurations. To express termina- 
tion we use the empty statement E; a configuration < E, a > denotes termi- 
nation in the state cr. Transitions are specified by transition axioms and rules. 
The only transition axioms that are somewhat non-standard deal with the block 
statement and the failure statement. We write here a |= B to denote that B is 
true in the state a. 

• < if B -> S R,a > -J- < S,a >, where cr (= B, 

• <ifB->5fl,(T> -> < fail >, where cr |= -iB, 

• < begin local x :— i; S end, cr > — >• < x :— f; 5; x := cr(x), cr >. 

The last axiom ensures that the local variables are initialized as prescribed 
by the parallel assignment and that upon termination the local variables are 
restored to their initial values, held at the beginning of the block statement. 
This way we implicitly model a stack discipline for, possibly nested, blocks. 
The other transition axioms and rules are standard (see |Appcndix A[ ) . 

The partial correctness semantics is a mapping A^JS*] : S -^-V(Y,) defined 

by 

M\S\{a) = {t e E |< S> > ^* < E,t >}, 

where — >•* denotes the reflexive, transitive closure of — > . The strong partial 
correctness semantics is a mapping A^JS 1 ] : E — > P(E U {fail}) defined by 

A4 sp [S'](cr) = {TeEU{fail}|< > S',cr> ^* <E,T>}. 

So for all S and a we have fail A / ![S'](cr), while for some S and a we can have 
fail € At sp [5]((r). In the latter case we say that S can fail when started in cr. 
We extend these semantic mappings to sets of states, X C E, by collecting all 
results obtained for the individual states cr e X. 

3. Object-oriented programs: syntax 

To define the syntax of the considered object-oriented programming language 
we introduce a new basic type object which denotes an infinite set of objects 

^object ■ 
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3.1. Expressions 

An expression of type object denotes an object. Simple variables of type 
object and array variables with value type object are called object variables. 
We distinguish the simple object variable this which in each state denotes the 
currently executing object. 

Besides the set Var of variable declarations defined in Section [2] we now in- 
troduce a new set IVar of instance variable declarations (so Var n IVar = 0). 
An instance variable can be a simple variable or an array variable. Thus we 
now have two kinds of variable declarations: the up till now considered decla- 
rations of normal variables (Var), which are shared, and the new declarations 
of instance variables (IVar), which are owned by objects. As before we identify 
each variable declaration with the variable name. Out of instance array vari- 
ables we construct, as in the case of normal array variables, subscripted instance 
variables. 

For simplicity we assume that each object owns the same set of instance 
variables. Each object has its own local state which assigns values to the instance 
variables. We stipulate that this is a normal variable, that is, this £ Var. 

The only operation of a higher type which involves the basic type object 
(as argument type or as value type) is the equality = t>ject (abbreviated by =). 
Finally, we use the constant null of type object to represent the void reference, 
a special construct which does not have a local state. 

Summarizing, the set of expressions defined in Section [5] is extended by the 
introduction of the basic type object, the constant null of type object, and 
the set IVar of (simple and array) instance variables. Object expressions, i.e., 
expressions of type object, can only be compared for equality. A variable is 
either a normal variable (in Var) or an instance variable (in IVar). Simple 
variables (in Var U IVar) can now be of type object. Also the argument and 
the value types of array variables (in Var Li IVar) can be of type object. Finally, 
we have the distinguished normal object variable this. 

3. 2. Programs 

For object-oriented programs we extend the syntax of the kernel language 
introduced in Section [2] Assignments to instance variables are introduced as 
follows: 

S ::= u := t, 

where u G IVar is a simple or subscripted (instance) variable. Method calls are 
described by the clause 

S ::= s.m(ti, . . .,t n ), 

where n > 0. Here the object expression s denotes the called object, the iden- 
tifier m denotes a method and t\ , . . . , t n are the actual parameters, which are 
expressions of a basic type. A method is defined by means of a declaration 

m(u\, . . . ,u n ) :: S, 
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where the formal parameters u\ , . . . , u„ s Var are of a basic type and S is a 
statement called the method body. Since the statements now include method 
calls, we allow for mutually recursive methods. However, the declarations can- 
not be nested, so we do not allow for nested methods. 

The instance variables appearing in the body S of a method declaration 
are owned by the executing object, which is denoted by the variable this. To 
ensure correct use of the variable this we disallow assignments to the variable 
this. However, when describing the semantics of method calls, we do use 'aux- 
iliary' block statements in which the variable this is used as a local variable, so 
in particular, it is initialized (and hence modified). Further, to ensure that in- 
stance variables are permanent, we require that in each block statement instance 
variables are not used as local variables. 

Apart from denoting the callee of a method call, object expressions can 
appear in Boolean expressions. Further, we allow for assignments to object 
variables. 

An object-oriented program consists of a main statement S built according 
to the syntax of this section and a given set D of method declarations such 
that each method used has a unique declaration in D and each method call 
refers to a method declared in D. We assume that method calls are well-typed, 
i.e., the numbers of formal and actual parameters agree and for each parameter 
position the types of the corresponding actual and formal parameters coincide. 
As before, name clashes between local variables and global variables are resolved 
by assuming that no local variable of S or D occurs freely (i.e., as a global 
variable) in S or D. If D is clear from the context we refer to the main statement 
as an object-oriented program. 

Example 3.1. Consider the object-oriented program 

S = this. find(z) 

in the context of the recursive method declaration 

find(u) :: if u ^ this then next.find(u) fi. 

We assume that the actual parameter z, the formal parameter u, and the in- 
stance variable next are of type object. The idea is that S checks whether 
a list of objects linked via the pointer next contains an object stored in the 
actual parameter z. The search through the list starts at the object stored in 
the variable this. □ 



4. Object-oriented programs: semantics 

In this section we define the semantics of the introduced object-oriented 
programs. We first define the semantics of expressions. It requires an extension 
of the definition of state. Subsequently we introduce a revised definition of 
an update of a state and provide transition axioms concerned with the newly 
introduced programming constructs. 
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4-1. Semantics of expressions 

The main difficulty in defining the semantics of expressions is of course how 
to deal properly with the instance variables. Each instance variable has a differ- 
ent version ('instance') in each object. Conceptually, when defining the seman- 
tics of an instance variable u we view it as a variable of the form this.u, where 
this represents the current object. So, given a proper state a and a simple in- 
stance variable x we first determine the current object o, which is cr(this). Then 
we determine the local state of this object, which is er(o), or cr(o"(this)), and 
subsequently apply this local state to the considered instance variable x. This 
means that given a proper state a the value assigned to the instance variable x 
is a{o)(x), or, written out in full, a (a '(this)) (x). This two-step procedure is at 
the heart of the definition of semantics of an expression given below. 

Next, we introduce a value null G ^object- So in each proper state each 
variable of type object equals some object of £> bject, which can be the null 
object. A proper state a now additionally assigns to each object o G £> bject 
its local state <r(o). In turn, a local state er(o) of an object o assigns a value 
of appropriate type to each instance variable. Note that by definition a proper 
state also assigns to null a local state. However, by Lemma 14.21 from Section 
4.31 below this state is not reachable in any computation. 

Note that the local state of the current object cr(this) is given by <r(cr(this)). 
Further, note that in particular, if an instance variable x is of type object, then 
for each object o G £> bject, °~(o)( x ) is either null or an object d G 2? bject, 
whose local state is cr(o'), i.e., a(a(o)(x)). This application of a can of course 
be nested, to get local states of the form a(a(a(o)(x))(x)), etc. 

To illustrate the notion of a state consider Figure Q] The current object is 
represented by a pointer to its memory region. Each occurrence of the variable 
x is here an instance variable of a different object. In contrast, the normal 
variables, in particular this, form the global component of the state. 
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Wc need to extend the semantics cr(s) of an expression s in a proper state a 
(cf. Section |2?2|) by the following clauses: 

• if s = null then cr(s) = null, so the meaning of the constant null (repre- 
senting the void reference) is the null object, 

• if s = x for some simple instance variable x then tx(s) = cr(o)(x), where 
o = (7 (this), so in expanded form this is 

a(x) = cr(o-(this))(x). (1) 



• if s = o[si, . . . , s n ] for some instance array variable a then 



a(s) = <r(o)(a)(a(s 1 ),. . . ,a(s n )), 

where o — c(this). 



4-2. Updates of states 

Next, we revise the definition of a state update for the case of instance 
variables. Consider a proper state er, a simple instance variable x, and a value 
d belonging to the type of x. To perform the corresponding state update of a 
on x to d, written as a[x := d], we first identify the current object o, which is 
er(this) and its local state, which is cr(o), or er(cr(this)), that we denote by r. 
Then we perform the appropriate update on the state r. So the desired update 
of a is achieved by modifying r to t[x := d]. 

In general, let u be a (possibly subscripted) instance variable of type T and 
t a local state. We define for d € T>t 

t[u := d] 

analogously to the standard definition of state update for normal variables. 
Furthermore, we define for an object o € ^object and local state r, the state 
update a[o := t] by 



<j[o := t](o' 



t if o = o' 
cr(o') otherwise. 



We are now in a position to define the state update o~[u := d] for a (possibly 
subscripted) instance variable u of type T and d e T>x, as follows: 

o~\u := d] = a[o := t[u := d]], 

where o = cr (this) and r = a(o). Note that the state update a[o := t[u := d]] 
assigns to the current object o the update t[u := d] of its local state r. In its 
fully expanded form we get the following difficult to parse definition of a state 
update: 

a[u := d] = er[<7(this) := er(er(this))[u := d}]. 
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Example 4.1. Let x be a Boolean instance variable, o = cr(this), and t = <r(o). 
Then 

a[x := true] (a;) 
= {(HJ) with a replaced by a[x := true]} 

a[x := true](<r[a; := true] (this)) (a;) 
= {by the definition of state update, a[x := true] (this) = cr(this) = o} 

a[x :— true] (o) (a;) 
= {definition of state update a[x := true]} 

cr[o := t[x := true]](o)(x) 
= {definition of state update a[o := t[x := true]]} 

t[x := true] (a;) 
= {definition of state update t[x := true]} 

true. 

□ 

4-3. Semantics of programs 

For the operational semantics of the considered programs we introduce two 
transition axioms that deal with assignments to simple or subscripted instance 
variables u and with method calls s.m(i), where i is the list of actual parameters. 

• < u := t, a > — > < E, a[u := a(t)\ >, 

• < s.m(t),a > — > < if s ^ null — > begin local this, u :— s, t; S end fi, a >, 

where m{u) :: S G D. 

This clarifies that we use the stack discipline to handle the method calls. 
Indeed, the method body S is executed in the state in which the current ob- 
ject (denoted by the variable this) becomes cr(s), and upon termination of the 
method body S the current object is restored to its previous value c(this) using 
the parallel assignment cr[this,u :— er(s,i)]. The use of the failure statement 
implies that if in the considered state a the called object s equals the void 
reference (it equals null) , then the method call yields a failure. 

Lemma 4.2. (Safety) For every statement S that can arise during an exe- 
cution of an object-oriented program and every proper state a, the following 
hold. 

(i) Absence of null Reference: if er(this) ^ null and < S,a > —> < 
Si,t >, then r(this) ^ null. 

(ii) Type Safety: if S is well-typed and < S, a > — > < Si,t > holds, then 
also Si is well-typed. 
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Proof, (i) If S ^ E then any configuration < S,a > has a successor in the 
transition relation — > . To prove the preservation of the assumed property 
of the state it suffices to consider the execution of an assignment this := s. 
Each such assignment arises only within the context of the block statement 
in the corresponding transition axiom and is activated in a state a such that 
<j(s) ^ null. This yields a state r such that r(this) ^ null. 

(n) Except for method calls, the statements on the right-hand side of the transi- 
tion axioms are composed of the substatements of the statement on the left-hand 
side of the transition axiom, which are well-typed by assumption. Further, by 
the second transition axiom above, well-typed method calls lead to well-typed 
parallel assignments in the block statements. □ 

When considering verification of object-oriented programs we shall only con- 
sider computations that start in a proper state a such that a(this) ^ null, i.e., 
in a state in which the current object differs from the void reference. The Safety 
Lemma [4.21 implies that such computations never lead to a proper state in which 
this inequality is violated. 

The partial correctness semantics and the strong partial correctness 

semantics A^ sp [5] of object-oriented programs S are defined as for the kernel 
language. 

5. Transformation to recursive programs 

In this section we show that object-oriented programs introduced in the 
previous section can be translated by means of a simple syntax-driven transfor- 
mation to recursive programs with parameters. Intuitively, for each method the 
current object is made into an explicit parameter of the corresponding recursive 
procedure. 

5.1. Recursive programs 

As a preparation we introduce recursive programs by adding recursive pro- 
cedures with call-by-value parameters to the kernel language. Procedure calls 
with parameters are introduced by the grammar rule 

S ::= P(ti, . . . , t n ), 

where P is a procedure identifier and ti,...,t n , with n > 0, are expressions 
called actual parameters. Procedures are defined by declarations of the form 

P(ui, ...,u n ):: S, 

where u\, . . . , u n are distinct simple variables, called formal parameters of the 
procedure P and S is the body of the procedure P. 

We assume a given set of procedure declarations D such that each procedure 
that appears in D has a unique declaration in D. A recursive program consists 
of a main statement S built according to the syntax of this section and a given 
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set D of procedure declarations such that all procedures whose calls appear 
in the considered recursive programs are declared in I?. So we allow mutually 
recursive procedures but not nested procedures. We assume that procedure calls 
are well-typed in the same sense as method calls. As in the case of the object- 
oriented programs, name clashes between local variables and global variables 
are resolved by assuming that no local variable of S or D occurs freely in S or 
D. 

Semantics 

For recursive programs we extend the operational semantics of the kernel 
language by the following transition axiom that describes the call-by-value pa- 
rameter mechanism. 

< P(£),a > — > < begin local u := i; S end, a >, where P(u) :: S € D. 

This yields for a recursive program S the semantics A1[5] and s;) JS"] . 

Note that thanks to the semantics of the block statement this axiom correctly 
handles the clash between formal and actual parameters. For example for P(u) :: 
S G D we get, as desired, 

< P(u+ l),er > -t* < S;u := a(u),a[u:= a(u + l)] > . 

5. 2. Transformation 

We now define a formal relation between object-oriented programs and re- 
cursive programs. We assume the class of recursive programs that use normal 
variables whose type may involve the basic type object and the class of object- 
oriented programs, as defined in Section [3] Further, we assume for every dec- 
laration of an instance variable u of a basic type T a declaration in Var of a 
normal array variable u of type 

object -> T. 

Similarly, we assume for every declaration of an instance variable a of a higher 
type T\ x . . . x T n — > T a declaration in Var of a normal array variable a of type 

object x Ti x . . . x T n -> T. 

A normal array variable of type 

object — > T 

in the recursive program will represent the instance variable of basic type T in 
the corresponding object-oriented program, and a normal array variable of type 

object x Tx x . . . x T n -> T 

in the recursive program will represent an instance variable of the corresponding 
object-oriented program of type Ti x . . . x T n — > T. 
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Given an 'object-oriented' state a we denote by 0(cr) the 'normal' state 
which represents the instance variables as normal variables. On normal variables 
of type T the states a and 6(a) agree and are of type Var — ► T>t- For instance 
variables of basic type T the state a is of type 

^object -> (IVar^V T ), 

the corresponding state 0(<r) is of type 

Var -> (^object ->f r ), 

and for instance array variables of type Ti x . . . x T n — > T the state a is of type 

^object -> (/Var -»• (£> Tl x . . . x 2? T „ -»• X> T )), 

and the corresponding state 0(<r) is of type 

Var -> (^object x D Tl x...xD Tn 4D T ). 

Formally, 0(<r) is defined as follows: 

• e(fail) = fail, 

• 0(<r)(a;) = <j(x), for every normal variable x, 

• Q(a)(z)(o) = a(o)(z), for every object o G ^object and normal array 
variable z of type object ->T on the left-hand side of the equation cor- 
responding to an instance variable z of a basic type T on the right-hand 
side of the equation, 

• 6(<7)(<x)(o, d\, ...,d n ) = a(o)(a)(di, . . . ,d n ), for every object o <G ^object 
and normal array variable a of type object x Ti x . . . x T n — > T on the 
left-hand side of the equation corresponding to an instance array variable 
a of type T\ x . . . x T n — > T on the right-hand side of the equation, and 
di € T>Ti , for i G {1, . . . , n). 

Next, we define for every expression s of the object-oriented programming 
language the 'normal' expression 0(s) of the recursive program by induction on 
the structure of s, with the following base cases: 

• 0(x) = x, for every normal variable x, 

• 0(x) = x[this], for every instance variable a; of a basic type, 

• 0(a[si, . . . , s n ]) = a[this, 0(si), . . . , 0(s n )], for every instance array vari- 
able a. 

The first case in particular yields ©(this) = this. The following lemma clarifies 
the outcome of this transformation. 

Lemma 5.1. (Translation) For all proper states a the following hold. 
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(i) For all expressions s, 

a(s) = 9(a)(6( S )), 

where 9(cr)(9(s)) refers to the standard semantics of expressions which 
involve only normal variables. 

(ii) For all (possibly subscripted) instance variables u and values d of the same 
type as u, 

Q(a[u := d]) = e(a)[Q(u) := d]. 

Proof. By straightforward induction on the structure of s and case analysis on 
the structure of u. □ 

Next, we extend by structural induction the transformation 9 to statements 
of the considered object-oriented language. The failure statement is used to 
take care of the method calls on the void reference. We prove then that this 
transformation preserves both partial and strong partial correctness semantics. 

• Q(skip) = skip, 

• <d(x :=t) =x := 9(F), 

• e(u := s) = Q(u) := Q(s), 

• e(*.m(si,...,«„))=if 9(s)^null^ m(9(s), 9(si), . . . , 9(s„)) fi, 
. Q(Sx; 5 2 ) = 0(Si); 9(5 2 ), 

• 9(if B then S x else S 2 fi) = if 9(B) then 9(5 X ) else Q(S 2 ) fi, 

• 9(while BdoS od) = while 9(B) do @(S) od, 

• 9(if B -> S fi) = if 9(B) -> 9(5) fi, 

• 9(begin local u :— i; S end) = begin local u := 9(f); 9(5) end, 

where 0(F) denotes the result of applying 9 to the sequence of expressions 
t. 

So the translation of a method call s.m(si, . . . , s n ) transforms the called object 
s into an additional actual parameter of a call of the procedure m. Additionally 
a check for a failure is added. Finally, we transform every method declaration 

m(ui, ...,u n )::S 

into a procedure declaration 

m(this, Mi, ... , u n ) :: 9(5). 
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So the distinguished normal variable this is added as an additional formal pa- 
rameter of the procedure m. This way the set D of method declarations is 
transformed into the set 

0(D) = {m(this, u u . . . , u n ) :: 9(5) | m(m, . . . , u n ) :: S G D} 

of the corresponding procedure declarations. 

Example 5.2. Consider the object-oriented program 

S = y.add(l); y.add(2), 

where y is a normal variable of type object, in the context of the declaration 

D = {add(x) :: sum :— sum + a;}, 

where the formal parameter x is of type integer and sum is an instance variable, 
also of type integer. Then the transformation 6 yields 

0(S) = if y ^ null -> add(y, 1) fi; if y null -> add(y, 2) fi 

and 

0(D) = {add(this, x) :: sum[this] := sum[this] + x} 
as the corresponding recursive program. □ 

5.3. Correctness proof 

We have the following crucial correspondence between an object-oriented 
program S and its transformation O(S). 

Lemma 5.3. (Transformation) For all well-typed object-oriented programs 
S, all sets of method declarations D, all proper states a, and all proper or fail 
states t, 

<S,a> ->* <E,t> iff < O(S), 0(a) > ^* < E, 0(t) > . 

Proof. We prove only the (=>) direction. We proceed by induction on the 
number of the axiom and rule applications used in the computation < 5, a > 
< E,t >. 

The only non-trivial case arises when S begins with a method call, that is, 
is of the form s.m(i); Si. By the assumption, 

< s.m(t); S\, a > — > < begin local this, u := s, i; S end; Si, a > — >* < E,t >, 

where a(s) ^ null and m(u) :: S G D. So by the induction hypothesis and 
definition of O, 

< 9(begin local this, u := s, t; S end); 6(Si), 6(<r) < E, Q(t) > . 
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Note that 



0(s.m(i); Si) = if ©(s)^null^ m(0(s), 6(f)) fl; 0(50, 

By the Translation Lemma ISHT i). we have 0(<r)(0(s)) 7^ null. So by definition 
of the semantics of recursive programs and definition of 0, 

<if 0(s)^null^ m(0(s), 0(f)) fl; 0(50, 0(o-) > 
->■* < 0(begin local this, u := s, t\ 5 end); 0(50, 0(<O >, 

which concludes the proof. □ 

Finally, the following theorem establishes the correctness of the transforma- 
tion as a homomorphism. We extend here to a (possibly empty) set of 
states in an obvious way. 

Theorem 5.4. (Correctness of 0) For all well-typed object-oriented pro- 
grams S, all sets of method declarations D, and all proper states a the following 
holds: 

(i) Q{M[S\(a)) = M[Q{S)\{Q(a)), 

(ii) ®{M sp iS\(o-)) = M sp MS)j(Q(a)), 

where S is considered in the context of the set D and the corresponding recursive 
program 0(5) in the context of the set of procedure declarations Q(D). 

Proof. The claim is a direct consequence of the Transformation Lemma l5.3l □ 

6. Assertion language 

6.1. Syntax and semantics 

Expressions of the programming language only refer to the local state of the 
executing object and do not allow us to distinguish between different versions 
of the instance variables. In the assertions we need to be more explicit. So we 
introduce the set of global expressions which extends the set of expressions of the 
object-oriented programming language introduced in Section [3] by the following 
additional clauses: 

• if s is a global expression of type object and x is an instance variable of 
a basic type T then s.x is a global expression of type T, 

• if s is a global expression of type object, si, . . . ,s n are global expressions 
of type T\ , . . . , T n , and a is an array instance variable of type T\ x . . . x 
T n — > T then s.a[si, . . . , s n ] is a global expression of type T. 

In particular, every expression of the programming language is also a global 
expression. 
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Example 6.1. Consider a normal integer variable i, a normal variable x of type 
object, a normal array variable a of type integer — > object, and an instance 
variable next of type object. Using them we can generate the following global 
expressions: 

next, next.next, x.next, x.next.next, a[i].next, etc., 

all of type object. In contrast, next.x is not a global expression, since x is not 
an instance variable. □ 



We call a global expression of the form s.u a navigation expression since it 
allows one to navigate through the local states of the objects. For example, 
the global expression next.next refers to the object that can be reached by 
'moving' to the object denoted by the value of next of the current object this 
and evaluating the value of its variable next. 

We define the semantics of global expressions by extending the semantics of 
expressions given in Section ETT1 as follows: 

• for a simple instance variable x of type T, 

a(s.x) = a(o)(x), 

where <x(s) = o, 

• for an instance array variable a with value type T, 

a(s.a[si, s n }) = cr(o)(a)(a(si), . . ., a(s n )), 
where <r(s) = o. 

So for a simple or subscripted instance variable u the semantics of u and 
this.w coincide, that is, for all proper states a we have a(u) = cr(this.w). In 
other words, we can view an instance variable u as an abbreviation for the global 
expression this.w. 

Note that this semantics also provides meaning to global expressions of the 
form null.w. However, such expressions are meaningless when specifying cor- 
rectness of programs because the local state of the null object can never be 
reached in computations starting in a proper state a such that tr(this) ^ null 
(see the Safety Lemma |4~2)) . 

Example 6.2. If x is an object variable and a a proper state with a(x) ^ null, 
then for all simple instance variables y we have o~(x.y) — o~(cr(x))(y). □ 

Assertions are constructed from global Boolean expressions by adding quan- 
tification over simple normal variables. We use p, q as typical letters for asser- 
tions. For a state a and an assertion p we write a \= p if a satisfies p. Let \p\ 
denote the set of proper states satisfying p, so \p\ = {a G £ | a |= p}. So a \= p 

iff trefoi- 
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6.2. Substitution and aliasing 

We write s[u := t] for the result of substituting an expression t for a simple 
or subscripted normal variable u in an expression s. We call [u :— t] a substi- 
tution. For a simple variable u this is defined in the customary way. Also it is 
straightforward how to define the simultaneous substitution s[x := t] involving 
a sequence of simple variables. 

However, for a subscripted variable u, the problem of aliasing, i.e., when 
syntactically different subscripted variables denote the same location, has to be 
taken care of. Following fll| we handle it using the conditional expressions. For 
example, 

min{a\x], y)[a\i] := 2] = min{\f x = 1 then 2 else a[x] fi,y). 

The conditional expression checks whether a[x] and a[l] are aliases of the same 
location. If so, the substitution of 2 for o[l] results in a[x] being replaced by 2, 
otherwise the substitution has no effect. 

Intuitively, in a given state a the substituted expression s[u :— t] describes 
the same value as the expression s evaluated in the updated state a[u := cr(t)], 
which arises after the assignment u := t has been executed in ex. We shall later 
need the details of the definition of s[u := t], so let us recall it here. It proceeds 
by induction on the structure of s. The cases dealing with subscripted variables 
are as follows: 

• if s = a[si, . . ., s n ] for some array a, and u is a simple variable or a sub- 
scripted variable b[t±, . . ., t m ] with a b, then 

s[u := t] = a[st[u := t], ■ . .,s n [u := t}}, 

• if s = a[s±, . . ., s n ] for some array a and u = a[t±, . . ., t n ] then 

s[u := t] = if A™=i s i = k then t else a[s[, . . ., s' n ] fi 

where s- = Si[u := t] for i e {1, . . . , n}. 

The most complicated case is the second clause for subscripted variables. Here 
the conditional expression 

if /\™=i s 'i = U then . . . else . . . fi 

checks whether, for any given proper state a, the expression s = a[si, . . ., s n ] in 
the updated state o~[u := cr(t)] and the expression u = a[t±, . . ., t n ] in the state a 
are aliases. For this check the substitution [u := t] needs to applied inductively 
to all subscripts si, . . ., s n of a[si, . . ., s n ]. In case of an alias s[u := t] yields t. 
Otherwise, the substitution is applied inductively to the subscripts s\, . . ., s n of 
a[sx, . . ., s n ]. 

We now extend the definition of the outcome s[u := t] of the substitution to 
the case of instance variables u and global expressions s and t constructed from 
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them. Let u be a simple or subscripted instance variable and s and t global 
expressions. In general, the substitution [u := t] replaces every possible alias 
e.u of u by t. In addition to the possible aliases of subscripted variables, we now 
also have to consider the possibility that the global expression e[u := t] denotes 
the current object this. This explains the use of conditional expressions below. 
Here are the main cases of the definition of the substitution operation s[u := 

t]: 

• if s = x E Var then 

s[u := t] = s, 

• if s = e.u and u is a simple instance variable then 

s[u := t] = if e' = this then t else e'.u fi, 
where e' = e[u := t], 

• if s = e.a[si, . . . ,s n ] and u = a[ti, . . . , t n ] then 

s[u :— t] = if e' = this A A"=i s 'i = then t else e'.a[s[, . . . , s' n ] fi, 

where e' = e[u := t] and = Sj[u := t] for i e {1, ... , n}. 

The following example should clarify this definition. 

Example 6.3. Suppose that s = this.w. Then 

this.u[u := t] 
= if this[u := t] = this then t else . . . fi 
= if this = this then t else . . . fi. 

So this.u[w := t] and t are equal in the sense that for all proper states a we 
have a(this.u[u := t}) = <r(t). 

Next, suppose that s = this.a[x], where x is a simple variable. Then 

this.a[x][a[x] := t] 
= if this[a[x] := t] = this A x[a[x] := t] = x then t else . . . fi 
= if this = this A x = x then t else . . . fi. 

So this.a[x][a[a;] := t] and t are equal. □ 

The substitution operation is then extended to assertions by properly taking 
care of quantification. We have the following lemma that relates for instance 
variables the effect of substitution to the state update. 

Lemma 6.4. (Substitution of Instance Variables) For all global expres- 
sions s and t, all assertions p, all simple or subscripted instance variables u of 
the same type as t, and all proper states a the following hold: 
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(i) a(s[u := t\) = <r[u := a(t)](s), 

(ii) a (= p[u := t] iff a[u := a(t)} \= p. 

Proof. By induction on the structure of s and p. □ 

7. Proof theory for object-oriented programs 

We now study (strong) partial correctness of object-oriented programs ex- 
pressed by correctness formulas of the form {p} S {q}, where S is a program 
and p and q are assertions. The assertion p is the precondition of the correctness 
formula and q is the postcondition. A correctness formula {p} S {q} holds in the 
sense of partial correctness, abbreviated \= {p} S {q}, if every terminating com- 
putation of S that starts in a state satisfying p terminates in a state satisfying 
q. And {p} S {q} holds in the sense of strong partial correctness, abbreviated 
\= sp {p} S {q}, if |= {p} S {q} and no computation of S that starts in a state 
satisfying p ends in a failure. 

Using the semantics M. and M. sp , we formalize these two interpretations of 
correctness formulas uniformly as set theoretic inclusions (cf. Q): 

• 1= {p} S {q} if -MI^KM) c M, 

• Hp {P} S {q} if M sp lSj(M) C{q}. 

Since by definition fail ^ [g] holds, M sp {Sj ( [p] ) C [g] implies that S does not 
fail when started in a proper state a satisfying p, as required for strong partial 
correctness. 

Example 7.1. Consider again the program £ = this./me^z) of Example 13.11 
for finding an object in a linked list. To specify the desired effect of the there 
declared method find we introduce a fresh normal array variable a of type 
integer — > object that stores a linked list of objects, as expressed by the asser- 
tion 

Po = Vi > : a[i].next = a[i + 1]. 

We take p = this = a[0] A po as precondition and q = 3i > : z — a[i] as 
postcondition. Then the correctness formula {p} S {q} holds in the sense of 
partial correctness, i.e., upon termination z will store one of the objects in the 
list. Note that this is a correct specification since the variable a is not used 
(and hence not changed) in the program S. In general, normal auxiliary array 
or simple variables have to be used to record the initial values of the program 
variables. 

However, this correctness formula does not hold in the sense of strong partial 
correctness if the list contains the null object before the object stored in the 
variable z . To avoid this we strengthen the precondition by adding the assertion 

pi = Vi > : a[i] ^ null. 
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Then {p A pi} S {q} holds in the sense of strong partial correctness. Finally, if 
the list is circular and does not contain the null object or the object stored in 
z, the program S diverges. □ 



7.1. Partial correctness 

Partial correctness of the programs in the kernel language is proved using 
the proof system PK consisting of the group of axioms and rules [THU and [TOl 
shown in | Appendix B . T| 

Wc now consider partial correctness of object-oriented programs. First, we 
introduce the following axiom for assignments to instance variables: 

AXIOM [TJJ ASSIGNMENT TO INSTANCE VARIABLES 

{p[u :=t}} u:=t {p} 
where u is a simple or subscripted instance variable. 

So this axiom uses the new substitution operation defined in the previous 
section. Next, as we shall explain in a moment, we need the following rule 
for weakening the precondition of a partial correctness formula concerning a 
method call. 

RULE[[2} WEAKENING 

{p A s 7^ null} s.m(t) {q} 
{p} s.m(t) {q} 

Non-recursive methods 

The main issue is how to deal with the parameters of method calls. There- 
fore, to focus on it we discuss the parameters of non-recursive methods first. The 
following copy rule shows how to prove correctness of non-recursive method calls: 

{p} begin local this, it := s,i; S end {q} 
{p} s.m(f) {q} 

where m(u) :: S G D . 

Example 7.2. We prove the partial correctness formula {true} null.m {false}, 

where m :: skip 6 D. First, we have 

{false} begin local this := null; skip end {false}, 

so by the above copy rule we get {false} null.m {false}. The desired conclusion 
now follows by the above weakening rule and the consequence rule. □ 
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Recursive methods 

When we deal only with one recursive method and use the method call as the 
considered object-oriented program, the above copy rule needs to be modified 
to 

{p} s.m(t) {q} hpo {p} begin local this, u := s, t; S end {q} 

{p} s.m(t) {q} 

where D = {m(u) :: S}. 

The provability relation \~po here refers to the proof system PO, which is 
defined as PK extended with the axiom [11] for assignments to instance vari- 
ables, the weakening rule [121 and the auxiliary rules IA1HA5I (as introduced in 
|Appendix B.2[ ). Thus the premise of the rule states that in the proof the cor- 
rectness of the block statement we may assume the corresponding correctness 
formula concerning the method call. 

In the case of an arbitrary program and a set of mutually recursive method 
declarations we have the following generalization of the above rule. 

RULE [13} RECURSION I 

{pi} si.mi(fi) {qi}, {p n } s n .m n (i„) {q n } h PO {p} S {q}, 
{pi} si.mi(ti) {qi}, . . . , {p n } s n .m n (t„) {q n } ^po 

{pi} begin local this, Ui := Sj, Si end {qi}, i G {1, . . ., n} 

M S {q} 

where rrii{ui) :: Si G D for i G {1, . . . , n}. 

The intuition behind this rule is as follows. Say that a program S is (p, q)- 
correct if {p} S {q} holds in the sense of partial correctness. The second 
premise of the rule states that we can establish from the assumption of the 
(Pii (^-correctness of the method calls Sj.mj(fi) for i G {1, . . . the (pi,qi)- 
correctness of the procedure bodies Si for i G {1, . . . , n}, which are adjusted as 
in the transition axiom that deals with the method calls. Then we can prove 
the {pi, (/^-correctness of the method calls Sj.mi(tt) for i G {1, . . . , n} uncondi- 
tionally, and thanks to the first premise establish the (p, g)-correctness of the 
program S. 

To prove partial correctness of object-oriented programs we use the following 
PROOF SYSTEM PO + : 

This system is obtained by extending PO by the recursion I rule [T3l 

7.2. Strong partial correctness 

Strong partial correctness of programs in the kernel language is proved using 
the proof system SPK consisting of the group of axioms and rules [T|-[71 and 
[POl shown in | Appendix B.l" 

To prove strong partial correctness of method calls we modify the above 
recursion rule I. The provability symbol \~spo refers now to the proof system 
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SPO, which is defined as SPK augmented with the assignment axiom [TT] and 
the auxiliary rules IA1HA5I introduced in | Appendix B.2 

RULE Q3J RECURSION II 

{pi} si.mi(fi) {qt}, {p n } s n .m„(tn) {q n } h SPO {p} S {q}, 
{p{\ Si.mi(ti) {qi}, {p n } s n .m n (t n ) {q n } h S po 

{pi} begin local this, u % := s l ,t i ; Si end {q t }, ie{l,...,n} 
(*) pi -> Si ^ null, i e {1, . . ., n} 

M S {q} 

where mj(uj) :: Sj £ 13, for i € {1, . . . , n}. 

Thus compared with the recursion I rule [131 the premises (*) have been 
added. These premises are indeed needed, as the following incorrect derivation 
shows. 

Example 7.3. Let m :: skip 6 D. Without the premises (*), we could derive 
from 

{true} null.m {true} h {true} begin local this := null; skip end {true}. 

the correctness formula {true} null.m {true}. However, this correctness for- 
mula does not hold in the sense of strong partial correctness. □ 

To prove strong partial correctness of object-oriented programs we use the 
following 

PROOF SYSTEM SPO + : 

This system is obtained by extending SPO by the recursion II rule 1141 

8. Formal justification 

To prove soundness and completeness of the proof systems PO and SPO for 
(strong) partial correctness of object-oriented programs we shall use the trans- 
formation given in Section [5j notably the Correctness Theorem [5Tj and reduce 
the problem to the analysis of the corresponding proof systems for recursive 
programs. 

The partial correctness semantics M\S\ and the strong partial correctness 
semantics AA sv \S\ of recursive programs S are defined as for the kernel language. 
We have the following basic semantic invariance property of recursive programs. 

Lemma 8.1. (Semantic Invariance) Let M stand for A4 or Ai sp . Further, 
let z be a sequence of fresh variables which do not appear in the main statement 
S (or the given set of declarations D) and d be a corresponding sequence of 
values. Then 

M[S\{<t[z := d}) = {r[z := d] \ re JV[£](<r)}. 
Proof. The proof proceeds by induction on the length of the computation. □ 



24 



8.1. Proof theory for recursive programs 

Correctness formulas {p} S {q} for recursive programs S and their inter- 
pretation in terms of partial and strong partial correctness is defined as for 
object-oriented programs. 

In the following rule for recursive programs we use the provability symbol 
h to refer to either the proof system PR which consists of the proof system 
PK augmented with the auxiliary rules IA1HA5I defined in |Appcndix B.2| or the 
proof system SPR which consists of the proof system SPK augmented with the 
these rules. 

RULE QU RECURSION III 

{ Pl } Pr(h) {qi}, • • • , {Pn} Pn{t n ) {q n } h M 8 {<?}, 
{ Pl } Pl(tl) {<&}, . . . , { Pn } Pn{tn) {?«} \~ 

{pi} begin local m := U; Si end {qi}, i e {1, . . ., n} 
M S {q} 
where Pi(vli) :: Si G D. 

The intuition behind this rule is analogous as in the case of the recursion I 
rule introduced in Section [7j For recursive programs we use the following proof 
systems. 

PROOF SYSTEM PR + for partial correctness of recursive programs: 
This system is obtained by extending PR by the recursion III rule IT5l 

PROOF SYSTEM SPR + for strong partial correctness of recursive programs: 
This system is obtained by extending SPR by the recursion III rule [T5l 

8.2. Translation of assertions and proofs 

For the reduction to (correctness proofs of) recursive programs we also have 
to transform expressions of the assertion language. To this end, we extend the 
definition of O(s) given in Section r5.2l to global expressions introduced in Section 
IG.ll by adding the following two cases (where x is an instance variable of basic 
type and a is an array instance variable): 

• Q{s.x) = x[Q(s)], 

• Q(s.a[si, s„]) = a[6(s), O(si), . . . , 6(s n )]. 

Then we extend the transformation O(s) to a transformation O(p) of asser- 
tions by a straightforward induction on the structure of p. Correctness of this 
transformation of assertions is stated in the following lemma. 

Lemma 8.2. (Assertion) For all assertions p and all proper states a 

o-^piff&(cj)^Q{p). 
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Proof. The straightforward proof proceeds by induction on the structure of p. 
□ 



Corollary 8.3. (Translation I) For all correctness formulas {p} S {q}, where 
S is an object-oriented program, 

h M S {q} iff h MP)} 9(5) {6(g)}, 

and 

Hp M S {q} iff Hp {©(?>)} 9(5) {9(g)}. 

Proof. It follows directly by the Assertion Lemma 18.21 and the Correctness 
Theorem [5^1 □ 

We next show that a correctness proof of an object-oriented program can be 
translated to a correctness proof of the corresponding recursive program. We 
first need the following lemma which states equivalence between a correctness 
proof of a method call from a given set of assumptions and a correctness proof of 
the corresponding procedure call from the translated set of assumptions. For a 
given set of assumptions A about method calls, we define the set of assumptions 
9(A) about the corresponding procedure calls by 

9(A) = {{<3(p)} m(G(s),e(t)) {9(g)} \ {p} a.m(f) {q} e A}. 

Lemma 8.4. (Translation of Adaptation Correctness Proofs) Let A be 

a given set of assumptions about method calls. Then 

A\-ar M s.m(t) {<?} ifje(A) h4 fl {e(p)} m(Q(s),e(t)) {9(g)}, 

where \~ar denotes provability in the proof system consisting of the so-called 
adaptation rules: the consequence rule^and the auxiliary proof rules introduced 
in Appendix B.2 



Proof. The proof proceeds by induction on the length of the derivation. □ 

In order to prove the equivalence between partial correctness proofs of a 
method call from a given set of assumptions and correctness proofs of the cor- 
responding procedure call from the translated set of assumptions, we need the 
following lemma about partial correctness proofs of failure statements. 

Lemma 8.5. (Normal Form Partial Correctness Failure Statements) 

Let A be a given set of assumptions about procedure calls. If 

A h Pfi M if B -> S fi {q} 

then 

Ah PR {p A B} S {q}. 
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Proof. The proof proceeds by induction on the length of the given derivation. 
By the form of the proof rules we can restrict to the consequence rule [7J the 
auxiliary proof rules introduced in | Appendix B.2| and the failure rule [5] We 
consider the case of an application of the auxiliary rule IA31 Let 

Ah PR {p 1 } if B->S&{q} 

and p denote 3x : p' , where x Var(D) U Var(S) U free(q). By the induction 
hypothesis and an application of the auxiliary rule [51 we have 

A h PR {3x : (jpf A B)} S {q}. 

Since x does not occur in B, the precondition is logically equivalent to (Bx : 
p') A B, so the desired result follows by an application of the consequence rule. 
□ 

Next, we introduce the following lemmas stating the equivalence between 
(strong) partial correctness proofs of a method call from a given set of as- 
sumptions and correctness proofs of the corresponding procedure call from the 
translated set of assumptions. 

Lemma 8.6. (Translation of Partial Correctness Proofs) Let A be a 

given set of assumptions about method calls. Then 

A \-po {p} s.m(t) {q} 

iff 

6(A) h Pfl {<3(p)} if 0(a) ^ null -> m(0(a), 0(i)) fi {6(g)}. 

Proof. Note that by the form of the proof rules we can restrict the rules of PO 
to the proof system AR extended with the weakening rule [12] and restrict the 
rules of PR to the proof system AR extended with the failure rule [S] 
(=>) We prove the claim by induction on the length of the derivation. For the 
base case assume that {p} s.m(t) {q} € A. By definition of Q(A), 

{e(p)}m(e(a),e(t)) {G( q )}ee(A), 

so 

Q(A) h Pfl {O(p)} m(Q(s),Q(t)) {6(g)}. 
By a trivial application of the consequence rule, we get 

Q(A) h PR {0(p) A 0(a) ^ null} m(0(s), 0(F)) {6(g)}. 

Now by the failure rule, we get the desired result. 

For the induction step we treat the case when the last rule applied is the 
weakening rule. Then it is applied to 

A\-po {p As ^ null} s.m(i) {q}. 
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By the induction hypothesis, 

6(A) h PR {Q(p) A 9(s) ^ null} if 9(s) ^ null -> m(9(s), 9(t)) fi {6(g)}. 

By Lemma T8. 51 it follows that 

8(A) h Pfl {0(p) A 9(s) ^ null A 9(s) ^ null} m(9(s), 9(i)) {6(g)}, 

so by the consequence and failure rules we get the desired result, the right-hand 
side of the statement of the lemma. 

We prove the claim by induction on the length of the derivation. We only 
treat the main case of the induction step when the last rule applied is the failure 
rule. Then it is applied to 

9(A) h PR {Q(p) A 9(s) ^ null} m(9(s), 9(t)) {8(g)}. 

In this derivation in \~pr the failure rule has not been applied. Thus we can 
replace \~pr by \~ar- By the Translation Lemma 15^1 we get 

A \~ A R {pAs=£ null} s.m(t) {q}. 

Applying the weakening rule we get the desired result, the left-hand side of the 
statement of the lemma. □ 

Lemma 8.7. (Translation of Strong Partial Correctness Proofs) Let A 

be a given set of assumptions about method calls such that p' — > s' null holds 
for all {p'} s'.m'(F) {q'} e A. Then 

A \~spo M s.m(t) {q} 

iff 

9(A) h SPR {9(p)} if Q(s) + null -> m{Q(s), 0(f)) fi {9(g)}. 

Proof. 

(=>) We prove the claim by induction on the length of the derivation. We only 
treat the base case, that is when {p} s.m(t) {q} € A. By definition of A, the 
implication p — >• s ^ null holds. By definition of 9(A), 

{e(p)}m(0( S ),e(t)) {9(g)} e 9(A). 

Furthermore, by the Assertion Lemma we have 0(p) — ► 9(s) ^ null. So 
we conclude the desired result by an application of the failure II rule. 

(<=) We prove the claim by induction on the length of the derivation. We only 
treat the main case of the inductive step, an application of the failure II rule. 
So Q(p) — > 9(s) / null holds and the rule is applied to 

9(A) h SP R {&( P )} m(9(s),9(i)) {9(g)}. 
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In this derivation in \~spr the failure II rule has not been applied. So we can 
replace \~spr by \~ar- Thus by the Translation Lemma 18.41 

A \~ar {p} s.m(t) {q}. 

from which the desired result follows. □ 

In order to extend the above lemmas from method calls to arbitrary state- 
ments we need the following lemma which states that the transformation on 
assertions is a homomorphism with respect to the substitution operation. 

Lemma 8.8. (Homomorphism) For all global expressions or assertions p, 
all expressions t of the programming language, and all simple or subscripted 
variables u, 

e(p[u:=t]) = e(p)[e(u) :=e(t)]. 

Proof. We treat the case of a global expression s and a simple instance variable 
u. By definition, Q(u) = it [this]. It suffices to prove 

Q(s[u := t]) = 0(»)[u[this] := 0(t)] 

by induction on the structure of the global expression s. We treat the case of 
s = e.u. 

Q(e.u[u := t]) 
= {by definition of the substitution [u := t]} 

0(if e[u := t] = this then t else e[u := t].u fi) 
= {by definition of 6} 

if Q(e[u := t] = this) then Q(t) else Q(e[u := t].u) fi 
= {by definition of 6} 

if Q(e[u := t]) = this then Q{t) else u[Q(e[u := t})} fi 
= {by induction hypothesis about e} 

if 6(e) [u [this] := 0(i)] = this then 9(i) else u[0(e)[«[this] := 0(f)]] fi 
= {by definition of the substitution [u[this] := 0(f)]} 

u[0(e)][«[this] := Q(t)} 
= {by definition of 0} 

0(e.u)[u[this] := 0(f)] 

□ 

Lemma 8.9. (Translation of Correctness Proofs Statements) Let A be 

a set of assumptions about method calls and {p} S {q} be a correctness formula 
of an object-oriented statement S. Then 

Ah{p}S {q} iffe(A) h {Q(p)} O(S) {0(g)}, 

where 
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• in case of partial correctness h on the left-hand side denotes provability in 
the proof system PO, and h on the right-hand side denotes provability in 
the proof system PR, and 

• in case of strong partial correctness h on the left-hand side denotes prov- 
ability in the proof system SPO, and h on the right-hand side denotes prov- 
ability in the proof system SPR. Additionally, we assume that p' —> s ^ 
null holds for all {p 1 } s.mit) {q'} G A. 

Proof. The proof proceeds by induction on the length of the derivation. The 
case of an assignment statement follows by the Homomorphism Lemma [8.8l The 
case of a method call follows by the Translation Lemma [8~7l The cases of other 
program statements follow directly by the induction hypothesis. In particular, 
in the cases of the consequence rule and the rules for conditionals and loops, 
the Assertion Lemma 18.21 is used. □ 

Finally, we arrive at the main result of this section. 

Theorem 8.10. (Translation II) For all correctness formulas {p} S {q}, where 
S is an object-oriented program, 

(i) {p} S {q} is derivable in the proof system PO + iff {®(p)} 6(5) {<d(q)} is 
derivable in PR + , 

(ii) {p} S {q} is derivable in the proof system SPO + iff {0(p)} Q(S) {<d(q)} 
is derivable in SPR + . 

Proof. The proof proceeds by an induction on the length of the derivation. The 
case of the assignment axioms is taken care of by the above Lemma [8.8l The case 
of the recursion rules is taken care of by the Translation Lemma |8"U1 The case of 
the other axioms and rules follows immediately from the induction hypothesis 
(using the Assertion Lemma I8~2l in case of the rules for the conditional and while 
statements). Note that in the premises of the recursion rules we cannot apply 
the recursion rule again. □ 

From the above theorem it immediately follows that the proof systems PO + 
and SPO + are sound and (relative) complete if and only if the corresponding 
proof systems PR + and SPR + are sound and (relative) complete. For proofs of 
soundness of the systems PR + and SPR + , that is, for every correctness formula 
{p} S {q} about a recursive program S, derivability of {p} S {q} in PR + and 
SPR + implies |= {p} S {q} and j= sp {p] S {q}, respectively, we refer to our 
book In the next section we discuss (relative) completeness of the proof 
systems PR+ and SPR+ . 

9. Completeness 

We prove here relative completeness of the proof systems PR + and SPR + 
for partial and strong partial correctness of the class of recursive programs 
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considered in this paper. The proof is based on the use of weakest preconditions. 
As explained in Section [TOj this approach also applies to total correctness. We 
first discuss the expressibility of weakest preconditions for recursive programs 
that use variables whose type may involve abstract data types (like the basic 
type object). 

9.1. Expressibility 

We introduce the following definitions and conventions. By a —y a', for 
V C Var, we denote the fact that a(v) = cr'(v), for v € V. We fix throughout 
this section a sequence x = x\, . . . , Xk of (simple and array) variables and a main 
statement S such that its variables and those of the given set of declarations D 
are contained in x. Further, we fix a corresponding sequence y of fresh variables 
used to refer to the final values of x in the definition of the weakest preconditions 
below. By x, = y we denote the conjunction of the formulas Xi = j/j, for a simple 
variable Xi, and Vu^ : = Vi[ui], for an array variable Xi (ttj denotes a 

sequence of simple variables corresponding to the argument types of Xi). The 
update o~[x :— <j'(y)\ assigns to each variable Xi the value/function <r'(yi), for 
i G {1, . . . , k}. We denote by the substitution p[x :— y] the result of renaming 
every variable Xi by yi, for i 6 {1, . . . , k}. We have the following substitution 
lemma corresponding to the Substitution Lemma 16.41 

Lemma 9.1. (Substitution) We have 

a \= p[x := y] iff a[x := a(y)} \= p. 

Proof. The proof proceeds by induction on the structure of p. □ 
The weakest precondition WP(S,p) for partial correctness denotes the set 

{a | M{S\{a) C fpj}. 

Similarly, the weakest precondition WP sp (S,p) for strong partial correctness 
denotes the set 

{a | M sp lSj(a)C [p]}. 
The above predicates satisfy the following equations. 

Lemma 9.2. (Weakest Precondition Calculus) Let W stand for WP or 
WP sp . The weakest preconditions satisfy the following (standard) equations. 

• W(skip,p) = lp], 

• W(u:=t,p) = \p[u:=t]], 

• W(x :=i,p) = lp[x~t\l 

• W{Sv,Si,p) = W(S U W(S 2 ,p)), 

. W(if B then Si else S 2 fl,p) = {{Bj n W(Si,p)) U ([-.B] n W{S 2 ,p)), 
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• W (while B do S od,p) = 

([-B] n [p]) U ([B] n W(S, ^(while B do S od,p))). 

Failure statements satisfy 

WP(if B 5 fl,p) = ([B] n WP(S,p)) U [-.B] 

and 

WT sp (if B 5 fi,p) = [B] n WT sp (5,p). 
Finally, block statements satisfy 

W(hegin local u :~ t; S end,p) = W(u := t; 

where the local variables u do not appear in p. 

Proof. We prove the equation for block statements (the equations for the other 
statements are standard). By definition of the semantics of block statements 
and the above equations for (parallel) assignments and sequential composition 
of statements, we have 

W^begin local u := i; S end,p) 

= W(u := i; S;u := a(u),p) 

= W(u := tj S; W(u := a(u),p)) 

= W(u:=i;S,p). 

Note that p[u :— cr(u)} equals p because the variables u do not appear in p. □ 

As a special case, we introduce the following most general weakest precondi- 
tions 

WP(S,x = y) and WP sp (S,x = y). 
Note that by definition, 

WP(S,x = y) = {a\ M[S\(<t) C {a[x := a(y)}}} 

and 

WP sp (S,x = y) = {a\ M sp \S]{a) C {a[x := a(y)}}}- 

These predicates describe the graphs of the deterministic functions M. \S\ and 
AlspIS*] in terms of a relation between the input variables x and the output 
variables y. 

In order to express these most general weakest preconditions in the first- 
order assertion language we introduce a state-based encoding of the basic types 
which allows for a standard arithmetic encoding of the programming semantics. 

Let nat denote the basic type of the set N of natural numbers. For each 
basic type T we fix a fresh array variable hx of type nat — > T for a state-based 
encoding of the values of basic type T. We will use h to range over the variables 
h T . Without loss of generality we restrict our attention to states for which the 
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interpretation of each array variable Ht specifies an enumeration of the values 
of the basic type T, that is, hr is surjective, as expressed by 

Vx : 3n : x = /i T [n], 

where x is of type T and n of type nat. 

Given this encoding of the basic types, we next show how to express in 
the assertion language the encoding of the interpretation of the variables. The 
assertion code(n, z) defined by h[n] — z, where z is a (simple) variable, directly 
expresses that the variable n (of type nat) stores an integer representation of 
the value of z. In order to express a similar assertion code(n,a), where a is 
an array variable, we assume in the assertion language the following arithmetic 
operations: 

• < n > denotes the natural number encoding the sequence of natural num- 
bers n, 

• n(i) denotes the ith element of the sequence encoded by n, 

• \n\ denotes the length of the sequence of numbers encoded by n. 

We note that the above operations can be formally defined in the assertion 
language by some computable enumeration of all finite sequences of natural 
numbers (details are standard and therefore omitted). Let I denote the number 
of argument types of the array variable a. The assertion app(n, a) defined by 

|n| = I + 1 A a[h[n{\)], h[n(l)}] = h[n(l + 1)] 

expresses that n encodes an application of the interpretation of the array a. The 
assertion code(n, a) is then defined by 

M 

f\ app(n(k),a). 

fe=i 

This assertion expresses that n encodes a finite sequence of numbers n(k) each 
of which in turn encodes an application of the interpretation of the array a. For 
every sequence z — z\, . . . , z k of variables we denote by code(n, z) the conjunc- 
tion 

k 

\n\ = k A y\ code(n(i), zCj. 

i=l 

Without loss of generality we assume that the encoding of any sequence of vari- 
ables z is surjective: for every n <G N there exists a state a such a |= code(n, z). 

Given this encoding of the interpretation of simple and array variables, we 
next introduce the following binary arithmetic relation comp s , where S is a 
recursive program, which denotes the set 

{(n, m) | Vtr : cr (= code(n,x) and a f= code + (m,x,y) implies 
a[x:=a{y)] € M[S\(a)}. 
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Here we implicitly assume that code + (m,x,y) asserts code(m,y) and addition- 
ally enforces that each array variable Xi agrees with the corresponding array 
variable yt on the complement of the domain specified by m{i) (note that m 
codes only a finite part of each array variable of y). (The details of this exten- 
sion of the assertion code(m,y) are straightforward though somewhat tedious 
and therefore omitted.) In the sequel we write comps{n,m) to denote that n 
and m belong to the binary relation comps (we will use n and m both to denote 
natural numbers and variables of type nat). 

Since every finite computation of S accesses each array variable of x only on 
a finite subset of the domain of its interpretation, we have the following closure 
property of comp s . 

Lemma 9.3. (Closure of comp) For all states a and a 1 we have that a' G 
A^fJS'Kcr) implies comp s (n,m), for some pair of numbers n and m such that 
a \= code(n,x) and a[y := cr'(x)] \= code + {m,x,y). 

We proceed with the introduction of the (unary) arithmetic predicate fail s 
which denotes the set 

{n | V(T : a\= code(n,x) implies fail G A^ sp [5](o")}. 

In the sequel we also use fails(n) to denote that n is an element of the set 
fail s . 

Again, since every finite sequence of computation steps of S accesses each 
array variable of x only on a finite subset of the domain of its interpretation, 
we can assume the following closure property of the fail s . 

Lemma 9.4. (Closure of fail) For every state a such that fail G 7Vf S p[5](<T) 
we have a \= code(n,x) and fail s (n), for some natural number n. 

By means of standard techniques for encoding finite sequences of computa- 
tion steps (see for example ) we can express the predicates comp s and fail s 
arithmetically in the (first-order) assertion language in terms of the above encod- 
ing of the interpretation of the variables x. Therefore, we may assume without 
loss of generality that these predicates are present in the assertion language. 

Lemma 9.5. (Expressibility) For the assertion 

p = Vn, m : (code(n,x) A comp s {n,m)) — > code(m,y) 

we have 

WP{S,S = y) = ]p\ 

and 

WP sp (S, x — y) = [p A Vn : code{n, x) — > ->fail s (n)\. 



34 



Proof. We prove first the first equation. Let cr G WP(S, x — y), i.e., M [5] (a) C 
{cr[x :— a(y)]}. In order to prove a \= p, let a \= code(n,x) and comps(n,m), 
for some arbitrary (constants) n and m. Further, let a' |= code(m,y), for some 
cr' (note that the encoding of the variables y is assumed to be surjective). 
Without loss of generality we may assume that a\y :— <j'{y)] \= code + (m, x,y) 
(note that m only codes a finite part of cr'). Since the evaluation of code(n, x) 
only depends on the interpretation of the variables x, a \= code(n, x) implies 
a[y :— u'(y)) \= code(n, x). By definition of comp s it follows that cr[x :— cr'(y)] G 
M [5] (cr) (note that y are assumed not to occur in S) . Because S is deterministic 
it follows that a[x := cr'(y)\ = a[x := cr(y)], i.e., a'(y) = <j(y). So we conclude 
that a \= code(m,y) (note that code + (m,x,y) trivially implies code(m,y)). 

Next let a\=p. In order to prove a G WP(S,x = y), i.e., M{Sj(a) C 
{a[x := cr(y)]}, let a' G 7W[5](<t). By Lemma [9T3l it follows that comps(n,m), 
for some n and m such that a (= code(n,x) and cr[y := cr'(x)] |= code + (m,x,y). 
So by the definition of comp s it follows that cr[x := ct'(x)] G A^[5](<t) (as above, 
note that cr |= code(n,x) implies a[y := cr'(x)] ^ code(n,x) and the variables y 
do not appear in 5 1 ). Since 5* is deterministic we conclude that cr'(x) = cr(y) = 

For the second equation, it suffices to observe that by Lemma 19.41 fail G 
A / l S p[S l ](cr) implies cr |= 3n : code(n,x) A failg{n). On the other hand, by 
definition of fail s it immediately follows that a \= 3n : code{n,x) A fail s {n) 
implies fail G M sp {S\(a). We conclude that fail ^ M sp {S\(a) iff a \= Vn : 
code(n,x) — > -ifailg(n). □ 

We conclude this discussion of the encoding of the most general weakest 
preconditions with the following characterization of divergence or failure, in 
case of partial correctness, and divergence, in case of strong partial correctness. 

Lemma 9.6. (Expressibility of Divergence/Failure) For the assertion 

p = Vn, m : code(n, x) — > -^comps(n, m) 

we have 

WT(5,fel8e) = |j»], 

and 

WP sp (S, false) = lp A Vn : code(n, x) — > -*fails{n)\. 

The formula p in the first equality expresses all states from which S can 
diverge or fail, while the formula on the right-hand side of the second equality 
expresses all states from which S can diverge. 

Proof. We prove the first equation (the second is dealt with as above) . First let 
a G WP(S, false), i.e., Ai [5] (a) = 0. In order to prove cr |= p, let a |= code(n, x) 
and comps{n,m), for some arbitrary (constants) n and m. As above, we may 
assume without loss of generality that a[y :— cr'(x)] \= code + (m,x,y), for some 
a'. By definition of comp s , it follows that cr[x := cr'(x)] G jM[5](<t) which 
contradicts 7W[5](cr) = 0. 
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Next let a\=p. In order to prove a G WP(S, false), i.e., M{Sj(a) = 0, 
let a' G jM [51(c). By Lemma 1931 it follows that comps{n,m), for some n 
and m such that a |= code(n,x) (and <r[y := cr'(s)] |= code + (m,x,y)). But this 
contradicts a \= p. So we conclude that .MJS'Ker) = 0. □ 

9. 2. Completeness proof using most general correctness formulas 

We prove (relative) completeness of the proof system SPR + , i.e, every strong 
partially correct specification {p} S {q} of a recursive program S is derivable in 
SPR+. Formally, |= sp {p} S {q} implies h SPR + {p} S {q}. The proof of (rela- 
tive) completeness of the proof system PR + for partial correctness of recursive 
programs is similar. 

First we state and prove the following completeness result for the most gen- 
eral correctness formulas. Its formulation refers to the expressibility of the most 
general weakest preconditions justified by the Expressibility Lemma \9. 5 1 

Lemma 9.7. (Completeness: Most General Correctness Formulas) Let 

x = x\,...,Xk be all the variables (global and local) appearing in D, S, p or 
q, and y be a corresponding sequence of fresh variables. Further, let q be a 
consistent assertion, i.e., \q\ ^ [false]. We have 

1= SP {P) S M im P lie s {WP sp (S,x = y)} S {x = y} h SPfl {p} S {q}. 

Proof. Let |= sp {p} S {q}, with q a consistent assertion. Without loss of 
generality we may assume that p and q do not refer to the variables y (otherwise, 
we rename them and apply the substitution rule). Applying the invariance rule 
we obtain 

{q[x := y] A WP sp (S, x = y)} S {q[x :— y] A x — y}. 

Clearly the postcondition implies q. By the consequence rule, we then obtain 

{q[x:=y]A WP sp (S,x = y)} S {q}. 

Next we apply the auxiliary rule IA3I 

{3y : q[x y] A WP sp (S, x = y)} S {q}. 

By definition of the weakest precondition and |= sp {p} S {q}, it follows that p 
implies the above precondition (an application of the consequence rule thus gives 
us the desired correctness formula): Let a \= p. It follows from \= sp {p} S {q} 
that MsplSKa) C [qj, i.e., A4 sp [5](cr) = or a' G M sp \S\{o), for some proper 
state a'. First we consider the case that 7Vf S p[5](<T) = 0. From Lemma T8.ll it 
follows that A'fspKS'JKcr') = 0, for every a' such a' —yar\y °~- Further, since q is 
consistent, we have a' |= q[x := y], for some a' such a' =var\y °~- Summarizing, 
we have 

^'h#:^]A WP sp (S,x = y), 
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for some a' such that a' =var\y a - From which we conclude that 

o h 3y : q[x := y] A WP sp (S, x = y). 

Next we consider the case that cr' G A^ sp [5](it), for some proper state er'. 
From Lemma 18.11 it follows that a' G A^ sp [5](cr) implies <r'[y := cr'(x)] G 
■^sp[S'](CT[y := cr'(x)]). Clearly, cr'[y := cr'(x)] (= 5 = y, and therefore cr[y := 
(J '(^)] 1= WP S p{S,x = y). Further, since y are assumed not to appear in p, 
a \= p implies a[y := <r'(x)] (= p. So we derive from the assumption (= <5 {g} 

that cr'[y := cr'{x)\ \= q. By Lemma l9.1l it then follows that a'[y := cr'(£j] |= q[x := 
y}. Since cr =var\x a ' an d the evaluation of q[x := y] docs not depend on the 
interpretation of the variables x, we have also a[y := cr'(5)] |= g[x := y]. Sum- 
marizing, we obtain that 

a[y := cr'(S)] |= g[i := y] A WP sp (S,x = y), 

that is, 

a h 3y : g[a := y] A ^P sp (5, x = y). 

□ 

We next introduce for each procedure call Pj(tj), i G {1, . . . , n}, appearing 
in the given set of declarations D or the main statement S, the correctness 
formulas 

{WP sp (Pi{ii), false)} P t (U) {false} and { WP^Pfo), x = y)} P t {U) {x = y}, 

where x = x\,...,Xk are all variables (global and local) appearing in D or S, 
and y is a corresponding sequence of fresh variables. We rely here on the express- 
ibility of divergence and failure, as justified by the Expressibility Lemma 19.61 
Let A denote the set of these correctness formulas. 

Lemma 9.8. (Completeness Assumptions A) We have 
\= SP {P} S U) implies A h S PR M S {q}. 

Proof. The proof proceeds by induction on the structure of the statement 
S. Distinguishing between |= sp {p} S {false} and |= sp {p} S {<?}, where q is 
consistent, by definition of WP sp (S, false) and the above Lemma [9771 it suffices 
to prove 

A\- SPR {WP sp (S,r)}S W, 

where r denotes the assertion false or x = y. For assignments, sequential 
composition of statements, conditionals, failure statements and while statements 
the derivability of these correctness formulas follow from the standard properties 
of weakest preconditions as described in Lemma l9~2l We consider therefore the 
non-standard case that S denotes a block statement begin local u := t; Si end. 
We introduce a sequence z of fresh variables corresponding to the local variables 
u. By the semantics of block statements, it follows that 

h 3 Jz = u A WP sp {S, r)} u := i; Si {r[u := z}}. 
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By the (general) induction hypothesis, we can derive this correctness formula 
from the given set of assumptions A. Next we apply the block rule which gives 

{z — u A WP sp (S, r)} S {r[u := z}}. 

We proceed by an application of the invariance rule, which gives us 

{z = u A WP sp (S,r)} S {z = uAr[u := z]}. 

The postcondition clearly implies r, so by the consequence rule, we obtain 

{z = uA WP sp {S,r)} S {r}. 

Finally, applying the substitution rule (replacing in the precondition z by u) 
followed a trivial application of the consequence rule gives us the desired result. 
□ 

We conclude with the following main completeness theorem. 

Theorem 9.9. (Completeness: Strong Partial Correctness) Every strong 
partially correct specification {p} S {q} of a recursive program S is derivable in 
SPR + . Formally, \= sp {p} S {q} implies \- S pr+ {p} S {q}. 

Proof. Let |= {p} S {q} and A be the set of assumptions as defined above. 
By Lemma 19.81 we have 

A h SPR M S {q}. 
Next, let r denote the assertion false or x = y. We have that 

\= sp {WP sp (Pi(ii)),r} PiiU) W 

implies 

1= S pi WP sp{Pi{k),r)} begin local := t^Si end {r}, 

for every Pj(w,) :: Si € D. By Lemma T9.8I again we have 

A ^spr {WP sp {Pi{ti),r)} begin local Ui := t l \S l end {r}, 

for every assumption of A. Finally, by the recursion III rule [15J we conclude 
that {p} S {q} is derivable in the proof system SPR + . □ 

10. Extensions 

The approach to the verification of the object-oriented programs that we 
proposed here is flexible and natural. To substantiate this claim we explain now 
how it can be naturally extended to other features of object-oriented program- 
ming and to total correctness. 
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10.1. Access to instance variables 

A natural possibility is to allow method calls to access instance variables of 
arbitrary objects, a feature available in Java. Then, given instance variables 
x,y and object variables s,t, we could use assignments such as y := s.x + 1, or 
s.x := t.y + 1, and use global expressions in Boolean expressions, for example 
2- s.x — t.y + 1, and as actual parameters in method calls, for example s.m{t.y-\- 
1). 

To extend the obtained results to the resulting programming language the 
presentation would have to be modified in a number of places. More precisely, 
such an extension requires the following: 

• introduction of the global expressions already in Section [3. 1[ 

• introduction of global terms, which are expressions built out of global 
expressions using the admitted function symbols (and respecting the well- 
typedness condition), 

• extension of the assignment statement to one of the form s := t, where s 
is a global expression and t is a global term, 

• admission of the method calls of the form s.m(t\, . . .,£«), where s is an 
object expression and t%, . . .,t n are global terms, 

• introduction of the definition of semantics of global terms in Section 14.11 

• extension of the notion of an update of a state a[s := d] in Section B~2l to 
the case of a global expression s, 

• extension of the definition of substitution given in Section 16.21 to one of 
the form [s := t], where s is a global expression and t is a global term, 

• extension of the transformation given in Section [5] to the considered 
programming language, by defining 0(s) for a global expression s already 
in Section [Ol 

• extension of the assignment axiom [TT] to the above introduced class of 
assignments, and the recursion rules [T51 and ITU to the above introduced 
method calls, 

• extension of the results of Section[Sl notably the Homomorphism Lemma lKSI 
to this extended programming language. 

The details are relatively straightforward and omitted. 
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10.2. Object creation 

Most existing approaches to object creation (see for example in Q) follow 
implicitly the transformational approach by modeling it in terms of object ac- 
tivation. This can be made more explicit as follows. Given an array variable 
store of type N — > object and a variable count of type N, we model the object 
creation statement x := new by the statement 

count := count + l;x := store[couni\. 

This modeling of the object activation crucially depends on store being an un- 
bounded array variable. Further it assumes that store is injective: 

Vi : Vj : i ^ j — > store[i] ^ store[j], 

which is possible since we assumed that the type object has infinitely many 
elements. 

A drawback of this approach to object creation is that it involves an ex- 
plicit reference to a particular implementation. Since object variables can only 
be compared for equality or dereferenced, we show in Chapter 6 of our book 
Q that we can in fact define a substitution [x :— new] which statically eval- 
uates expressions in which x occurs, assuming that x denotes a newly created 
object. This in turn allows us to define the weakest precondition p[x := new] 
of the object creation statement x := new and w.r.t. a postcondition p which 
abstracts from the particular implementation of object creation. This yields the 
assignment statement 

{p[x := new]} x := new {p} 
allowing us to reason about object creation. 

10.3. Classes and Inheritance 

The transformational approach discussed in this paper can be readily ex- 
tended to deal with various features of mainstream object-oriented languages, 
like classes, inheritance and polymorphism (i.e., subtyping). As an example, 
we now discuss the details of such a transformation for a fragment of Java that 
extends the object-oriented language considered so far with dynamic binding of 
methods. This extension comprises the following: 

• introduction of classes as basic types, 

• use within the context of each program of a reflexive and transitive subclass 
relation and its inverse superclass relation defined on the set of classes 
used; we assume that this relation respects single inheritance, i.e., each 
class has at most one direct superclass, and that object is the superclass 
of each class, 
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• introduction of the assignment u := t, where the type of the object expres- 
sion t is a subclass of the type of u, and of the method call s.m{t\, . . . , t n ), 
where for i G {1, . . . , n} the type of the actual parameter ij is a subclass 
of the type of the corresponding formal parameter, in case ti is an object 
expression, 

• introduction of mutually disjoint sets T>c Q D object of object instances of 



Further, we associate with each class a set of method declarations. The 
instance variables of a class C are the inherited ones plus the ones that are 
introduced in the method declarations of C. An object-oriented program in this 
new setting consists then of a main statement and a set of classes, each with its 
set of method declarations, and a subclass relation. The semantics of a method 
call in this extension is captured by the rule 

< s.m(t), a > — > < if s ^ null — > begin local this, u := s,t; S fi end, a >, 

where S is such that er(s) € T>c an d m(u) :: S G C. In words, the class of the 
object denoted by the expression s determines the actual definition of the called 
method to be used. Note that this class in general is a subclass of the type of 
the expression s. 

We now explain how the programs formed in this extended setting can be 
transformed to the programs considered earlier extended by an introduction for 
each class C of a unary predicate C : object — » Boolean whose semantics is 
defined by 



In order to model dynamic binding in this extended object-oriented language 
we first flatten the inheritance hierarchy between classes by introducing a global 
set of method definitions D which consists of all method definitions 



where the declaration m(u) :: S appears in the class C itself or in the 'minimal' 
superclass C of C, that is, no other superclass of C which is also a subclass of 
C contains a declaration of m. We then model the semantics of a method call 
s.m(t) by the statement S nj inductively defined for i € {0, . . . , n — 1} by 



where {C\, . . . , C n } is the set of subclasses of the type of s. 

After establishing an analogue of Theorem l5.4l for the above transformation 
one could verify the programs written in the source language by verifying their 
translated version. In principle one could also derive proof rules that deal with 
the source programs directly, analogously as in Section [7] 



class C, 




m@C(u) :: S, 




skip 

if Ci+i(s) then s.m@Ci+i(t) else Si fi, 
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10. 4- Total correctness 

To focus on the crucial aspects of our approach to verification we did not deal 
with program termination. The appropriate extension combines strong partial 
correctness with termination and requires the following: 

• addition of a special state _L that models divergence, 

• modification of the definition of semantics to take care of divergence, 

• introduction of a new notion of soundness of a proof system, 

• replacement of the current LOOP rule H] by a rule that also takes care of 
termination, 

• replacement of the current the recursion rules [T3] and [Tl] by a single rule 
that also takes care of termination, 

• similarly for the recursion III rule 1151 

• appropriate modification of the proofs in Section [8] to additionally deal 
with termination. 

The details are presented in [IJ chapter 6]. Since termination is, roughly speak- 
ing, orthogonal to object-orientation, the transformational approach for (strong) 
partial correctness can be extended to total correctness in a straightforward, 
though somewhat tedious, manner. 



11. Conclusion 

We presented here an assertional proof system to reason about partial and 
strong partial correctness of a class of object-oriented programs. Its formal 
justification (that is, soundness and relative completeness) was carried out using 
a syntax-directed transformation to recursive programs. 

We proved a new relative completeness result for a class of recursive programs 
that use variables ranging over abstract data types (like the basic type object) 
and showed that the transformation preserves completeness. We also showed 
that the transformational approach can be applied to intricate and complex 
object-oriented features, such as inheritance and subtype polymorphism, by 
transforming them in the context of a closed program to the core language 
considered in this paper. 

Extension of the transformational approach to open object-oriented pro- 
grams, so programs that do not necessarily include the definitions of all the 
classes used (in Java for example such classes are imported from packages), how- 
ever, requires an additional study of structuring recursive programs by means 



of modules along the lines of the Modula programming language [31 J and of the 
corresponding proof-theoretical concept of a contract as introduced in the Eiffel 
programming language (20j . 
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Appendix A. Semantics 

In the following we list the omitted transition axioms and rules that define 
the transition relation — > . 

(i) <skip,a> — > < E,a >, 

(ii) < u :— t, a > -> < E, a[u := a(t)] >, 

where u £ Var is a simple variable or u = a[s%, . . . , s n ], for a £ Var, 

(iii) < x :— i, a > -> < i?, cr[x := a(t)] > 

< Su<T> < S 2 ,T > 

(iv) 

< S,cr > —5- < ^2; S,t > 

(v) < if B then Si else S2 fi, cr > — > < Si, tr >, where a \= B, 

(vi) < if S then Si else S2 fi, cr > — > < S2, cr >, where cr |= -^B, 

(vii) < while i? do S od, <r > — > < S; while B do S od, cr >, where cr |= B, 

(viii) < while B do S 1 od, a > — > < E,a > where a |= -*B. 

Appendix B. Axioms and proof rules 

In the following we list the used axioms and proof rules. Given an assertion 
q we denote below its set of free variables by free(q). 

Appendix B.l. Axioms and proof rules for the kernel language 

To establish correctness of programs from the kernel language of Section [2] 
we rely on the following axioms and proof rules. 

AXIOM 1: SKIP 

{p} skip {p} 

AXIOM 2: ASSIGNMENT 

{p[u := t]} u := t {p} 
where u G Var or u = a[s\, . . . ,s n ] and a £ Var. 

AXIOM 3: PARALLEL ASSIGNMENT 

{p[x := t\} x :=t {p} 

RULE 4: COMPOSITION 

M gl W,W ^2 {q} 
{p} Si, S 2 {q} 
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RULE 5: CONDITIONAL 



{p A B} Si {g}, {p A ^B} S 2 {q} 
{p} if B then Si else S 2 fi {q} 

RULE 6: LOOP 

{p A B} S {p} 
{p} while B do 5 od {p A -.5} 



RULE 7: CONSEQUENCE 



to! g {qihqi -> q 

M 5 {q} 



RULE 8: FAILURE 

{p A B} S {g} 
M if B^SR{q} 

RULE 9: FAILURE II 

p^B,{p}S{q} 
{p}iiB^SR {q} 



RULE 10: BLOCK 

M x := t; S {q} 



{p} begin local x := t; S end {q} 

where {x} fl free(q) = 0. 

Appendix B.2. Auxiliary rules 

Further, we rely on the following auxiliary axioms and proof rules that oc- 
casionally refer to the assumed set of procedure or method declarations D. We 
refer in them to the sets of variables var(D) and change(D) defined in the 
expected way. 

RULE Al: DISJUNCTION 

{p}S{g},{r}S{q} 
{fVr}S {q} 



RULE A2: CONJUNCTION 

{Pi} S { gi },{P2} S {q 2 } 
{pi A p 2 } S {qi A q 2 } 
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RULE A3: 3-INTRODUCTION 

M S {q} 
{3x : p} S {q} 

where x $ var(D) U var(S) U free(q). 
RULE A4: INVARIANCE 

W S {q} 
{p A r} S {p A q} 

where free(p) fl (change(D) U change(S)) = 0. 
RULE A5: SUBSTITUTION 

W g M 
{p[z:=i\}S{q[z:=t\} 

where var(z) n (var(D) U var(S)) — varit) n (change(D) U change(S)) = 0. 

Appendix B.3. Axioms and proof rules for object-oriented programs 

The following axioms and proof rules were introduced for the object-oriented 
programs. 

AXIOM 11: ASSIGNMENT TO INSTANCE VARIABLES 

{p[w := i]} u := i {p} 
where u is a simple or subscripted instance variable. 

RULE 12: WEAKENING 

{p A s =/= null} s.m(t) {q} 
{p} s.m(t) {(?} 

RULE 13: RECURSION I 

{pi} si.mi(ii) {(71}, . . . , {p„} s n .m n (i n ) {<7„} h {p} S {q}, 
{pi} si.mi(ii) {gi}, . . . , {p„} s n .m n (t n ) {q n } h 

{pi} begin local this, U{ := Sj, t,; end {qj}, ie{l,..., n} 

M 5 {<z} 

where rrii(ui) :: Si E D for i G { 1 , . . . , n}. 

RULE 14: RECURSION II 

{pi} si.mi(ti) {gi}, . . . , {p„} s n .m n (t n ) {<?„} h {p} 5" {g}, 
{pi} si.mi(ti) {gi}, . . . , {p„} s n .m n (t n ) {q n } h 

{pj} begin local this, u t := Sj, t,; end i e {1, . . ., n} 

Pi-> null, iG {1,.. .,n) 

M S {q} 
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where mi(ui) :: Si G D for i G {1, . . . , n}. 

Appendix B.4- Proof rule for recursive programs 

Finally, the following proof rule was introduced for the recursive programs. 

RULE 15: RECURSION III 

{pi} Pl(h) {qi}, • • • , {Pn} Pn(*n) ^ M 5 M, 

{ Pl } Pt(ti) { qi }, { Pn } Pn(t n ) {q n } h 

{pj begin local u l := U; S t end {^j, i G {1, . . ., n} 

where Pi{u{) :: ^ G D. 

Appendix C. Proof systems 

In the following we list the proof systems used in this paper. 

Kernel language 

PROOF SYSTEM PK for partial correctness: 

This system consists of the group of axioms and rules HHSl and [TO] 
PROOF SYSTEM SPK for strong partial correctness: 

This system consists of the group of axioms and rules [IH3 El and ITOl 

Object-Oriented Programs 

PROOF SYSTEM PO for partial correctness: 

This system is obtained by extending PK with the axiom [TT] for assign- 
ments to instance variables, the weakening rule 1121 and the auxiliary 
rules EMS 

PROOF SYSTEM P0 + for strong partial correctness: 

This system is obtained by extending PO by the recursion I rule 1131 

PROOF SYSTEM SPO for partial correctness: 

This system is obtained by extending SPK with the axiom [TT] for assign- 
ments to instance variables and the auxiliary rules IAlllA5l 

PROOF SYSTEM SPO + for strong partial correctness: 

This system is obtained by extending SPR by the recursion II rule [TT] 
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Recursive Programs 

PROOF SYSTEM PR for partial correctness: 

This system is obtained by extending PK with the auxiliary rules IA1I 

ESI 

PROOF SYSTEM SPR for strong partial correctness: 

This system is obtained by extending SPK with the auxiliary rules IA1I 

ESI 

PROOF SYSTEM PR + for partial correctness: 

This system is obtained by extending PR by the recursion III rule [T5] 

PROOF SYSTEM SPR + for strong partial correctness: 

This system is obtained by extending the SPR by the recursion III 
rule US] 
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